►
From YouTube: OpenSSF Vulnerability Disclosures WG (June 1, 2022)
A
A
I
was
on
mute,
hey
everybody,
please
sign
in
on
the
agenda.
Let
us
know
if
you
have
any
opens,
you
want
to
talk
about
we'll
get
started
in
just
a
minute.
B
Yeah
and
even
better
medicine,
there's
a
park
right
outside
and
some
really
really
tall
cherry
trees,
and
so
the
cats
like
to
sit
there
and
watch
the
dogs
and
the
squirrels
and
the
birds,
and
sometimes
when
they're
lucky
they
get
crows
and
who
doesn't
love
watching
a
great
big
chicken
walking
around
out
there.
Oh
that's
awesome.
I
have
a
transparent
bird
feeder
on
my
glass
door,
so
they
can
see
all
of
the
birds.
It's
awesome.
C
B
A
A
Everybody's
welcome
to
help
take
notes.
Welcome
to
the
june
1st
edition
of
the
best
working
group
within
the
open,
ssf,
the
vulnerability
disclosures
working
group.
Do
we
have
anyone
here
today
that
is
new
to
the
group
that
wanted
to
say
hello
and
introduce
yourself
to
your
new
group
of
friends.
D
D
Hello:
everyone,
I'm
yogesh
mittal,
ignore
my
daughter's
name
there.
I
work
at
redhat,
I'm
part
of
incident
response
team
at
red
hat
and
we
just
recently
got
some
some
changes
within
red
hat.
The
organization
changes
within
product
security
and
my
role
is
towards
vulnerability
management
piece
within
red
hat,
and
I
came
to
know
about
this
group
very
late.
Two
weeks
back,
I
missed
the
bus.
D
Obviously,
because
I
saw
the
notes,
you
guys
discussed
a
lot
of
things
and
you
got
some
quite
good
plans,
so
I'm
trying
to
catch
up
getting
on
board
and
if
there
is
anything
from
red
hat
voice,
please
feel
free
to.
Let
me
know
how
I
can
help.
A
Now
is
a
great
time
to
jump
on
board
the
train.
Well
welcome,
yogesh!
Thank
you
any
other
new
friends
that
wanted
to
say
hello
and
introduce
themselves.
E
Hi
folks-
and
this
is
apologies-
camera
wise,
I'm
in
the
middle
of
traveling
now,
but
I
just
wanted
to
say
hello
to
everyone.
This
is
alex
casado
with
wipro,
and
I
see
my
my
colleague
here.
Vicky
is
also
on
the
line
so
nice
to
see
you,
but
I'm
part
of
the
cyber
security
services,
just
kind
of
been
been
looking
at
some
of
these
different
work
groups,
I'm
very
interested
to
contribute
along
the
way.
So
thank
you.
A
Oh
okey
dokey,
first
off
before
we
get
to
the
opens.
I
wanted
to
talk
more
about
the
open
source
mobilization
plan.
We
discussed
two
weeks
back
and
hopefully,
everybody's
had
an
opportunity
to
read.
The
whole
document
has
that.
Has
everyone
had
a
chance
to
read
the
document.
A
Awesome
so
my
proposal
for
this
group,
there
are
two
sections
that
very
directly.
I
feel
intersect
with
our
work
here:
streams,
five
and
six
and
there's
other
little
bits
and
pieces
here
and
there
throughout
the
rest
of
the
plan.
But
I
think
streams,
five
and
six
are
most
directly
related
to
our
work
here.
G
A
The
thing
would
be
and
I'll
post
a
link
to
the
mobilization
plan
into
the
zoom
chat,
but
the
open
ssf,
a
couple
of
us,
went
to
washington
and
talked
to
some
very
nice
people
from
the
u.s
government,
and
we
proposed
a
10-point
plan
to
help
address
some
of
the
gaps
in
the
open
source,
ecosystem
security
and
two
of
those
points,
I
think,
are
very
related
to
this
group.
A
stream
five
is
the
creation
of
an
open
source
security
incident
response
team
on
some
level.
A
I
think
that
idea
needs
a
lot
of
conversation
to
kind
of
suss
out
what
that
might
look
like
and
how
it
might
interact
with
the
community
and
then
stream.
Six
is
around
vulnerability
disclosure
discovery
and
essentially
kind
of
putting
some
of
our
guides
into
practice
around
cbd.
A
So
I
I
don't
know
open
the
conversation
on
either
way.
We
could
have
a
sig
potentially
for
each
of
those
ideas.
Maybe
the
stream
six
is
just
something
we
do
kind
of
business
as
usual
stream.
Five,
I
feel
is
gonna
need
a
lot
of
focused
effort
up
front
to
talk
through
and
really
kind
of
shape,
the
plan
into
something.
That's
more
actionable
than
it
currently
is,
but
again,
let's
talk
about
it.
F
So
I'll
start
regarding
stream
five,
the
incident
response,
so
I
might
be
able
to
help
facilitate
someone
who
has
a
cdo
for
a
company
that
does
incident
response
as
a
service
to
maybe
talk
about
some
of
the
challenges
and
maybe
kind
of
direct
or
focus
on
some
of
the
key
points
that
we
want
to
address.
If
we
want
to
create
like
an
open
source
platform
or
or
structure
for
incident
response,.
A
Thank
you.
I
think
that
would
be
a
very
useful
contact
so,
and
my
intention
is
if
we
feel
this
is
something
we
want
to
move
forward
with.
I
would
reach
out
to
several
members
within
the
community
see
if
we
can
get
representatives
from
like
the
kubes
or
openstack
team
to
come
talk
to
this
group
to
kind
of
help
shape
that
opinion.
A
I
was
going
to
reach
out
to
solar
designer
who
helps
manage
a
lot
of
the
behind-the-scenes,
mailing
lists
and
kind
of
get
his
thoughts
and
feelings
and
reach
out
to
supercommunity
members
as
well.
I
think
that's
an
excellent
suggestion.
Yo
kim.
A
I
will
create
a
doodle
and
send
to
this
mailing
list
and
if
anyone
is
interested,
please
sign
up
express
your
interest
in
a
time
and
we'll
see
if
we
can
find
something
that
is
geographically
geographically
compatible
with
a
lot
of
us,
and
some
of
us
will
kind
of
get
together
to
start
to
hammer
out
some
of
these
details
and
then
we'll
report
back
to
this
group
periodically
any
further
thoughts
or
conversations
on
that.
H
H
It
happened
over
a
very
short
period
of
time
and
I'll
just
to
level
set,
and
maybe
like
call
out
the
elephant
in
the
room
I
mean
I
sketched
out
most
of
number
five
and
realistically,
it
has
not
even
closed
to
have
the
input
that
it
really
needs.
So
for
anyone
that
would
like
to
critique
it
suggest
new
directions,
for
it
help
us
make
it
much
better
than
what
it
is
right
now.
H
That's
extremely
welcome
and
encouraged,
and
I
hope,
you'll
sign
up
on
on
krobe's
doodle,
because
realistically
this
was
like
a
couple
of
people
from
the
governing
board
and
adjacent
trying
to
like
sketch
something
out
pretty
quickly,
because
we
knew
we
wanted
the
concept
of
this
to
be
floated,
but
realistically,
like
there's
so
many
improvements
that
can
be
made,
and
it's
so
much
in
its
infancy
as
its
sketch
right
now
that
if
you
can
come
and
bring
suggestions,
bring
critiques
bring
your
favorite
contacts,
whatever
you've
got.
H
A
Yeah
and
I'll-
I
don't
know
if
you
were
on
the
call
the
last
time
jennifer,
but
because
I
had
such
vigorous
feedback
on
the
original
draft.
Mr
bellendorf
appointed
me
the
facilitator
for
the
dc
stream
five
meeting
and
of
the
folks
in
the
room
in
general.
The
group
thought
the
idea
had
merit
and
they
wanted
to
move
forward.
A
So
yeah
everyone
agreed
it's
very
rough,
but
at
least
in
principle,
there
are
folks
that
are
expressed.
They
wanted
to
help
out
to
try
to
help
refine
and
make
this
a
reality.
A
And
just
so,
I
don't
know
if
I
mentioned
last
time,
the
tac,
the
technical
advisory
committee
that
oversees
the
working
groups
we're
in
the
middle
of
refining
some
of
the
structure
of
how
and
processes
of
how
the
foundation
works-
and
we
used
to
old
krobe
from
two
months
ago
would
refer
to
this
as
a
project
that
we
would
work
on
together.
A
A
All
right
I
see
and-
and
I
I'm
very
excited
about
this-
emily-
has
an
open
that
she
wanted
to
share
with
the
group
that
I
am
super
excited
about.
Emily.
Are
you
eager
and
able
to
talk
about.
I
The
news,
so
actually
it's
eric
I've
them
there.
I
was
I
communicated
with
emily
about
next
meeting,
so
she's
good
to
go
for
next
time.
I
guess
I
should
have
put
in
that
little
thing.
I
also
didn't
know
if
this
is
the
sort
of
thing
you
meant
by
open,
so
I
just
put
it
here,
because
okay
yeah
so
she's
she's
fine
to
meet
with
the
group
next
time
june
15th
and
I
I
thought
what
you
were
looking
for-
was
some
sort
of
like
a
little
demonstration
and
or
answer
questions.
A
So,
to
provide
everybody
context,
the
folks
at
search
cc
software
engineering
institute.
I
don't
know
exactly.
A
I
We're
in
the
sei
but
yeah
certain
cc
is
our
little
group
yeah.
A
So
there's
a
group
of
folks
and
emily
is
the
developer,
created
a
tool
called
vince
that
is
used
for
helping
coordinate
vulnerabilities.
It's
pretty
heavily
used
within
the
vendor
ecosystem
and
we
thought
it
was.
We
had
a
presentation
a
long
time
ago
talking
about
it
and
they
have
finally
open
sourced
the
code
for
vince.
So
this
is
potentially
a
platform
that
we
could
leverage
in
trying
to
like,
for
example,
empowering
stream
five
to
contact
people.
A
So
the
folks
at
sei
have
generously
volunteered
to
come
in
and
talk
about
it
and
they've
open
sourced
this
tool,
and
it's
something
that
we
potentially
could
use
and
possibly
even
contribute
to
to
make
better.
So
we're
gonna
get
a
little
demonstration
in
a
couple
weeks.
I
Yeah
great
I'm
happy
to
convey
anything
else
to
her
ahead
of
time.
If
you
want
me
to
including
contact
info
or
something
if
you
want
to
do
it
directly,
but
I'm
I'm
also
happy
to
intermediate
and
tell
her
what
you
want
her
to
know
beforehand.
G
Addison
and
I
were
going
to
take
a
crack
at
this
on
friday,
but
then
I
realized
I
had
friday
off
so
we
touched
it.
We
did
a
couple
hours
on
it
last
weekend.
Yeah
get
much
further.
All
right
didn't
get
much
further
than
that.
A
B
Still
need
to
get
back
to
finishing
my
review
of
it.
It's
been
a
to-do
item
that
unfortunately,
just
keeps
getting
bumped
every
day,
as
other
things
come
up
and
apologies
for
that.
But
I
know
you
all
understand.
B
Yes
absolutely
and
we
love
love
feedback
by
no
means
do
I
want
me
and
jonathan
to
be
the
only
ones
that
have
reviewed
and
worked
on
this.
So
I'm
super
appreciative
of
any
feedback.
A
lot
of
sections
are
still
very
work
in
progress.
So
if
you
see
anything
that
like
looks
like
it's
unfinished,
that's
probably
because
it
is
unfinished.
G
Where
there
was
a
bunch
of
those
written
and
it
was
like
copy
and
paste
from
the
old
doc-
and
so
I
mean
like
this
does
not
make
any
sense
in
the
context
of
a
reporter,
so
we've
been
hacking
and
slapping
flashing
and
ripping
and
pulling
it
and
rewriting
it
for
that.
So
but
yes,.
J
F
A
So
I
had
the
great
opportunity
today
to
have
unscheduled
time,
so
I
went
through
and
provided
some
feedback.
My
first
point
of
feedback.
I
think
we
should
talk
about
ow,
while
my
conference
persona
loves
all
the
memes,
I
think
as
a
semi-official
document.
A
G
I
I
haven't
yeah,
I
I
respect
the
perspective.
I
also
know
that,
as
a
reader
ib
hd,
I
would
like
to
write
I'm
trying
to
write
a
document
that
I
would
want
to
read,
and
so
that's
the
mindset
that
I'm
going
into
this
with
is
like.
I
would
like
to
make
this
something
that
is
memorable.
That
is
valid
like
it's.
It's
not
a
block
of
just
text
right,
because
I'm
gonna
look
at
a
guide
like
this.
That
has
just
a
wall
of
text.
I'm
gonna
skim
it
and
not
care
right.
G
If
there's
something
entertaining
to
it,
I'm
gonna
invest
the
time
to
sit
down
and
actually
read
through
it
as
a
security
researcher,
that's
the
ten
cents
that
I
am
kind
of
coming
at
it
from,
and
that's
why
I
made
the
intentional
decision
to
say:
okay,
like
I'm,
gonna
write
this
the
way
that
I
would
want
to
read
like
a
document
as
a
security
researcher
who's.
You
know,
there's
tons
of
things
that
I
can
read
all
over
the
internet,
all
right.
Why
do
I
want
to
sit
down
and
read
this
one?
Oh,
this
looks
entertaining.
B
Vicky,
I'm
I'm
going
to
kind
of
walk
the
line
between
the
two,
because
I
agree
that
memes
are
maybe
not
the
best
thing
and
I
haven't
seen
the
memes
since
they
were
added.
I
do
know
that
if
their
animated
gifs
as
much
as
I
love
them
being
a
twitter
native,
they're
gonna,
distract
me
ridiculously
anything
moving
on
the
screen
and
I'm
right
there
and
I'm
not
paying
attention
to
the
word.
So
that's
going
to
be
a
problem,
so
I
also
think
that
they're
not
especially
professional.
B
I
don't
know
that.
That's
really
a
problem,
I
think,
perhaps
to
make
it
more.
So
I'm
gonna
put
on
my
book
editor
hat
here.
We
can
change
the
language
to
make
it
more
accessible.
We
can
add
diagrams
to
make
it
more
accessible.
We
can
add
pieces
of
artwork
to
make
it
more
accessible
things
that
don't
move.
You
know
xkcd
if
it's
appropriately
cited
because
it
is
cc
by
nc.
B
I
believe
you
know
those
sorts
of
things
we
can
do
that,
but
perhaps
not
memes
so
kind
of
split
the
difference
between
stuffy
academic
that
nobody
wants
to
spend
an
hour
reading,
which
I
don't
think,
we've
actually
hit
with
our.
B
Oh,
my
god
yeah
I
wasn't
pointing
any
fingers,
but
since
well
what
he
did
no,
no,
no
and
then
you
know
highly
casual
sort
of
thing.
You
know
split
that
difference
in
there
so
be
serious
about
the
content,
but
perhaps
be
casual
in
the
way
we
present
it.
So
I'm
sure
when
I
see
the
memes,
I
might
have
some
thoughts
about
that
and
recommendations
for
how
to
shift
it.
But
I
I
I
probably
don't
think
memes
are
specifically
the
right
thing,
but
maybe
there's
a
way.
B
We
can
do
something
with
that
idea.
So
I'm
I'm
with
jonathan,
want
to
make
it
easy
for
people
to
actually
get
through
the
damn
thing,
but
we
also
want
them
to
remember
the
content
and
not
the
memes
right
and
that's
part
of
the
problem
with
the
memes
and
that's
why
really?
You
shouldn't
be
putting
too
many
of
those
on
your
screen
when
you're
presenting,
because
everyone's
trying
to
figure
out
what
the
meme
means
and
they're
not
listening
to
you.
So
you
have
to
consider
your
audience's
needs,
and
so
that's
too
many
words.
B
A
B
A
All
right
any
other
thoughts
about
the
graphics
or
comments
on
the
document
we
want
to
dive
into.
C
B
Well,
linux
foundation
has
a
lot
of
resources
on
that
front,
so
I
know
that
they
have
some
that
we
can
probably
leverage,
but
we
should
also
beta
test
it
with
some
external
readers.
L
This
seems
like
the
sort
of
question
that
I
should
know
the
answer
to,
but
I'll
be
honest
I
don't
so,
but
but
we
have
some
folks,
I
I
think
the
answer
is
we
have
we
have
tech
editors
they're
pretty
busy,
so
we
probably
shouldn't
overwhelm
them,
but
I
probably
have
to
get
back
to
you
on
that.
L
Yeah,
but
I
think
the
reality,
though,
is
that
we
that
the
tech
editors
can
help,
but
they
can't
create
silk
purses
from
sao's
ears,
so
it
needs
to
be.
You
know,
sort
of
deficient
shape
to
start
with.
You
know
they
can
help,
make
it
clear
what
you're
saying,
but
they
can't
decide
what
you're
going
to
say.
B
Sorry
david,
would
you
be
able
to
assuming
that
having
a
tech
editor
review?
This
is
an
option
that
we
have
available
to
us.
Can
you
find
out
how
long
they
would
need
to
review
this?
Basically,
so
we
can
try
to
get.
I
think
our
goal
is
to
have
this
done
by
august,
but
I
assume
we
would
need
it
sooner
for
a
tech
review
at
the
very
least,
and
to
have
other
reviews.
H
A
So
some
news
about
our
goal.
Yes,
we
do
have
the
goal.
We
were
hoping
to
get
this
done
to
announce
at
black
hat.
Sadly,
my
proposal
for
the
call
for
papers
was
politely
declined,
so
we
don't
have
that
necessarily
as
a
hard
deadline.
I
still
would
like
to
keep
to
that
if
we
can,
but
we
don't
have
a
platform
at
black
hat,
at
least
to
share
more
information
about
this,
but
that
doesn't
mean
we
couldn't
still
synchronize
with
it.
G
Is
there
two
questions
black
besides
closed,
there's
black
at
eu,
potentially
to
throw
it
at
the
other
question
I
just
did
a
little.
I
mean
light
digging
for
the
topic
of
copyright.
G
B
Yeah,
it
kind
of
depends
upon
who's
copyright
codes.
I
I
spend
way
too
much
time
at
the
copyright
well,
whose
copyright
trust
are
you
going
to
step
on
right?
If
exactly
that's.
B
Yeah
yeah.
G
B
As
far
as
editors,
I've
worked
with
technical
editors
for
other
sub
foundations
of
lf,
so
I
know
they're
there
and
how
much
attention
you
can
get
from
them
really
depends
upon
their
workload
at
that
time.
But
madison's
question
of
how
much
lead
time
is
always
a
respectful
one
right
and
something
we
should
certainly
keep
in
mind,
but
now
that
we've
got
a
little
more
flexible
date,
maybe
that
can
help
us
a
bit.
A
And
we
also
need
to
get
in
the
queue
of
the
open,
ssf's
marketing
director
now
a
bit
too
once
we
are
more
solid
on
it
and
have
a
little
bit
better
idea
of
exactly
when
we
ready
to
get
on
her
plate
so
that
we
can
that
committee's
plate,
so
that
they
can
figure
out
how
the
foundation
wants
to
advertise.
It.
B
Yes,
well,
they
have
generally
trademark
guidelines
for
these
sorts
of
things,
but
is
a
lot
more
flexible.
B
They
don't
have
specific
brand
guidelines
and
open
ssf
doesn't
at
all
yet
because
we
only
just
got
our
marketing
director
yay
just
a
couple
of
weeks
ago,
but
it
would
be
great
to
have
her
show
up
to
a
call
at
some
point
in
the
next
month
or
so
to
kind
of
you
know,
introduce
herself
and
hear
what
we're
up
to,
and
so
she
can
kind
of
work
it
into
her
long-term
plans.
A
So
other
comments
about
the
document:
anyone
have
any
objections
or
suggestions
to
the
content
that
exists
or
has
anyone
spotted
anything
that
is
a
big
gap
yet.
C
G
A
B
One
question
that
I
had
while
rewriting
it
that
I
added
as
a
comment,
but
I
wanted
to
bring
up
to
the
larger
group.
It
seems
like
having
a
glossary,
could
be
helpful
and
it
seems
like
we
could
have
a
lot
of
words
from
the
first
guide.
That
could
be
helpful
too.
So
there
were
some
things
that
were
defined
there.
A
lot
of
things
that
we're
defining
here
too,
and
I'm
realizing
like
adding
the
definitions
in
the
text
can
be
a
little
much.
B
A
B
I
realized
that
we
were
like
defining
the
same
term
in
both
places,
so
it
made
sense
to
do
it
in
the
first
stop
right,
because
that
was
all
there
was
at
the
time.
But
as
for
developing
more
documents,
I
think
having
a
single
glossary
can
probably
make
more
sense,
so
I'm
happy
to
start
putting
stuff
there
as
we're
working
on
this.
If
we
are
okay
with
that.
F
L
David
yeah,
so
I'm
gonna
ask
tech
editor
how
long
it
would
take
to
review
the
doc
looks
like
we're
shooting
for
under
20
pages.
Is
that
just
looking
at
what
we've
got
here?
That
feels
right?
What.
L
B
L
J
And
this
is
kayla.
I
just
want
to
add
from
the
where
to
re-re-plant.
J
The
kind
of
difference
between
vdp
and
bbp
section,
I
guess,
just
kind
of
tooling,
through
this
figuring
out
where
that
might
fit
best,
because
right
now
we
still
have
it
just
in
the
brainstorming
notes
section.
So
I
guess
that
that's
something
I'm
happy
to
kind
of
take
a
look
at
and
maybe
I'll
take
a
stab
at
placing
it
somewhere
else.
J
Embedding
it
somewhere
else
within
the
document
or
leaving
it
as
its
own
section,
but
just
moving
it
up
so
that
it's
it's
out
of
the
brainstorming
notes,
area
and
then
totally
open
and
happy
for
feedback
for
where
that
should
go
and
making
sure
it's
not
duplicative,
because
I
think
it
still
could
be
a
bit
duplicative
from
what
we
already
have
up
top.
So
that's
something
I'm
happy
to
take
a
stab
at.
A
Thank
you
kayla.
I
I
think
it
would
make
a
good
section.
We
already
have
referenced
it
at
least
once
in
my
reading,
through
it
talking
about
a
bug
bounty
program,
so
I
think
that
would
be
great
to
have
that
as
a
section
probably,
I
would,
I
would
put
it
towards
the
end,
but.
J
G
A
I
think
I'll
officially
put
it
as
a
vote
to
the
mailing
list,
so
I
would
encourage
everyone
to
read
your
mail.
You're
gonna
get
two
mails
from
me,
one
about
a
doodle
for
the
sig
and
then
I'll
do
one
about
the
memes
so
that
we
can
kind
of
have
a
group
consensus
on
how
we
would
like
that
to
go
forward.
A
Welcome
and
david
have
you
in
another
working
group,
we
were
talking
about
creating
exciting
and
unique
pictures.
Have
you
heard
any
more
information
from
the
dolly
project.
L
Well,
that's
open,
ai,
so
yeah,
so
quick,
quick
context
for
the
fundamentals
course
on
how
to
develop.
Secure
software,
we'd
like
to
spice
up
a
little
bit
add
more
pictures.
So
I
asked
the
openai
folks
if
we
could
use
their
dolly
too.
So
there's
two
different
answers.
One
is
the
legal
answer
and
one
is
the
end.
You
have
access
to
tool.
L
The
legal
answer
from
them
is:
yes,
you
know
if
it's
freely
available
non-profit
you
know
they
do
have
some
constraints,
but
I
can't
believe
that
I
mean
they
don't
want
violence,
they
don't
want
nudity,
they
don't
want
individual
actual
humans
pictures
faces
on
them,
but
I
think
those
are
all
their
requirements
are
all
doable.
The
bigger
problem
is
access
to
the
dual:
they
run
it
as
a
service,
and
I
have
I
have
put
into
their
lists,
and
I
have
made
various
requests
out
to
people.
L
I
know
to
try
to
get
me
in
front
of
the
queue
and
that's
been
totally
unsuccessful
and
trying
to
get
to
the
head
of
the
lion
curses.
So
somebody
knows
a
way
to
sneak
ahead
of
the
line.
You
know
and
knows
the
secret
red
carpet.
Handshake
that'd
be
awesome,
but
I
do
like
the
idea
of
trying
to
use
some
generated
images
if
nothing
else,
they
can
be
interesting
and
we
do
have
a
graphics
department.
F
Just
I
might
be
able
I'll
might
be
able
to
connect
with
a
phd
that
works
there
that
so
I'll
I'll
try
if,
if
I'll
be
able
to
get
through
I'll
I'll,
let
you
know
I'm
slack.
L
That'd
be
awesome
and
I'll
also
slap
my
email
address
in
the
chat,
so
you
can,
but
so
yeah
yeah.
I
thank
you
very
much.
I
don't
know
even
if
you're
not
successful,
I
would
appreciate
the
effort.
B
I
think
that
the
idea
of
using
the
ai
to
generate
images
is
interesting
from
a
just
entertainment
point
of
view.
I
think,
from
a
functional
point
of
view,
what
we're
going
to
get
are
our
images
that
are
going
to
allow
our
readers
to
scratch
their
heads
and
think
more
about
what
does
this
mean
and
where
did
it
come
from,
and
how
does
it
relate
to
the
content?
B
Then
then
allow
them
to
engage
with
the
content.
B
So
we
might,
it
might
seem
easier
and
more
fun
to
use
this
shiny
new
toy,
but
I
think
it's
going
to
be
more
effective
for
our
audience,
who
we
should
always
be
putting
front
and
center
to
for
us
to
dig
through
creative
commons
images
and
or
create
diagrams,
if
necessary,
if
relevant,
to
the
content
than
it
is
to
come
up
with
shiny
new
ai
generated
images.
I'm
sorry
to
rain
on
your
parade.
B
I
am
the
meanest
ape
in
the
room
and
I
apologize
for
that,
but
from
an
audience
perspective,
I
just
don't
think
it's
going
to
be
effective.
I
I
I
would
like
to
be
proven
wrong.
You
know
I'm
happy
to
be
proven
wrong,
but
I've
worked
with
way
too
many
editors
in
my
life
for
this
not
to
set
off
red
flags.
L
Well,
since
we
don't
have
access
to
the
tool,
we
have
no
way
to
know
whether
or
not
we
can
make
it
generate
ac
interesting.
You
know
not
just
interesting
but
useful
enough.
What's
intriguing
about
these
tools,
is
they
don't
just
say,
create
random,
arbitrary
images,
but
you
give
them
a
text
prompt
and
it
creates.
B
I've
seen
some
of
the
output
from
the
text
prompts,
and
they
are
hilariously
ludicrous
in
many
cases
and
which
is
great
and
it
makes
for
you
know
great
social
media
engagement,
and
I
know
that
you
know
we're
kind
of
doing
the
whole
airplane.
I'm
only
seeing
the
things
that
they
find
most
entertaining
and
not
the
stuff
that
they
find
to
be
less
entertaining,
but
still
from
the
selection.
I've
seen
I'm
not
convinced
that
we're
going
to
get
things
that
aren't
head
scratching
out
of
it.
L
I
I,
what
I
would
say
is
if
we
get
the
opportunity,
let's
try
it,
but
I
also
agree
with
you
that,
since
we
don't
have-
and
even
if
we
do-
we
don't
know
if
it'll
be
successful.
We
shouldn't
depend
on
that
as
the
one
true
and
only
way,
because
we
don't.
J
L
If
either
will
get
access
or
that
will
I,
I
certainly
agree
with
you
that
many
shiny
tools
don't
live
up
to
the
hype,
so
you
know
having
an
alternative,
is
a
good
plan
yeah
which
could
be
no.
No,
I
mean
there's
nothing
that
says
we
have
to
have
lots
and
lots
of
images.
Frankly,
I'd
rather.
G
G
Like
are
more
realistic
and
less
like
you
know
confusing
in
terms
of
like
their
abstract
nature,
so
if
that
may
those
may
be
more
relevant
if
we're
looking
for
like,
let's,
let's
punch
text
in
and
see
if
we
can
get
an
image
out
sort
of
you
know
it's
it's.
G
I
think
the
idea
here
is
like
let's
expand
the
range
of
images
that
we
can
find
to
like
satisfy
the
like
content
that
we're
trying
to
match
over,
like
what
creative
commons
like
pools
of
images,
are
going
to
have
right
like
let's,
let's
make
that,
let's
give
us
a
slightly
larger
pool
of
like
potential
into
images
we
can
inject
into
as
content
to
to
help
tell
the
story
not
like.
I
don't
think
the
goal
is
like
this
is.
This
is
interesting
like
let's
sew
this
image
in
just
because
it
like
looks
interesting.
A
And
I
will
say
that,
as
we
move
on
to
the
a
future
phase
of
evangelizing
our
work,
I'm
all
for
leveraging
the
pictures
as
they
are,
because
that's
very
much
my
style
but
yeah
we'll
see
we
can
let
the
group
weigh
in
to
see
what
everyone's
thoughts
are
about.
It.
A
Thank
you
crystal
you're,
my
straight
woman.
Today,
let
us
see
so
focusing
back
on
the
document.
A
Those
that
have
are
more
familiar
with
it
are
there
any
additional
gap
areas.
We
think
we
need
to
create
or
find
content.
I
put
some
suggestions
in
this
morning
myself,
but
I'm
curious
to
see
what
the
larger
group
has
to
say.
Morton
you.
M
Can
hear
me
yeah
awesome,
so
I
haven't
been
there
for
a
while.
So
I
haven't
just
started
reading
through
the
document
now
and
it
looks
fine
there's
some
thing
like
there's:
sort
of
coordinated
disclosures
embargoes,
sort
of
things
and
how
they're
usually
dealt
with
should
probably
be
a
bit
better
explained.
M
In
this
perspective,
I
also
think
it's
worth
probably
mentioning
what
some
people
should
do
if
they
don't
have
time
to
deal
with
the
disclosure
themselves,
because
if
some
projects
are
packaged
by
linux
distributions,
some
linux
distributions
do
have
cna
teams
and
incident
response
teams
that
can
sort
of
take
the
possible
security
issue
and
sort
of
take
and
fix
it
and
deal
with
the
disclosure
for
you
and
that's
sure
it's
a
shortcut
and
maybe
not
what
you
want
to
focus
on,
but
I
think
I
should
probably
mention
it,
but
that's
sort
of
the
only
gaps
that
I
can
see.
A
Nice
and
that's-
I
put
the
suggestion
in
this
morning
around
cnas
of
last
resort,
so
to
start
to
suss
out
that
idea,
a
little
more.
G
I
madison
and
I
have
been
working
on
other
parts
of
the
document.
What
is
the
current
status
of
the
so
I
can't
remember
who
was
working
on
it?
The
the
difference
between
vdp
and
bug,
bounty
program?
Where
is
the
is
that
content?
Currently?
Is
it
what's
the
state
of
it?
Is
there
more
of
it
or
is
it
still
being
worked
on.
A
J
J
The
style
we
took
was
a
little
bit
more
bullet
bulleted
lists
versus
a
paragraph
form
so
as
I
am
re-fitting
it
up
into
the
document
or
where
it
fits
best
in
the
document,
I'll,
probably
crystalline,
I
could
probably
change
it
around
to
to
help
it
fit
the
style
that
we're
going
for,
but
I
think
the
content
itself
is
pretty
much
pretty
much
where
we're
at
is,
is
the
content
that
we
have
in
the
bottom
and
right
now
it
is
under
the
what
brain
brainstorming.
J
Well,
it's
brainstorming
notes
section,
but
the
content
itself
is
pretty
much
what
we
have
and
will
just
need
to
be
built
into
paragraph
form,
if
that
even
is
necessary.
Sometimes
bulleted
lists
can
be
just
as
professional
and
easy
to
follow
as
well.
So
it's
just
about
finding
the
right
home
for
it
really
more
than
it
is.
I
think,
at
this
point,
a
super
detailed
content
aspect.
K
Yeah
we
were
trying
to
make
it
easy
to
read,
and
so
people
would
you
know
consume
it
quickly,
understand
it
easily.
But
if
we're
going
for
more
of
a
paragraph
style,
yeah.
A
K
B
Yeah,
I
was
going
to
suggest
the
checklist
idea,
but
also
once
the
document
is
more
or
less
done.
I
know
like
we're
just
right
there
once
the
document
is
more
or
less
done.
I
would
also
recommend
that
we
add
a
max
of
like
half
page
or
something
like
that
executive
summary
at
the
top
nobody's
going
to
read
the
entire
thing.
B
We
know
that
if
they
do
we'll
be
lucky
but
condense
it
down
to
just
the
top
bit
and
they're
more
likely
to
read
that
right
and
then,
if
you
need
more
information
drill
down
for
for
that,
and
so
like
the
executive
summary
the
tldr,
they
call
it
what
you
all
will,
but
just
to
acknowledge
that
it
will
be
a
long
document.
We
respect
your
time.
B
Here's
the
if
you
can
only
take
away
these
three
things
from
this
document.
Do
these
sort
of
things
or
five
or
pick
something
arbitrary
number?
I
don't
care,
but
I
do
recommend
we
do
that
at
the
end.
I.
A
Completely
agree,
I
was
once
admonished
by
a
dear
friend
of
mine
that
sounds
like
a
paved
feeler
and
he
admonished
me
for
trying
to
write
the
introduction
before
the
document.
So
I
we
definitely
need
to
have
that
tldr
at
the
top,
once
we're
all
done
or
closer
to
being
finished.
G
Jonathan
I,
on
the
on
the
vdp
versus
bug
better
program.
I
don't
know
what
it
so
checklist
is
like
the.
G
G
G
I
maybe
for
that,
a
like
side-by-side
comparison
might
be
a
better
con
right
like
what
is
the
vddp.
What
is
the
blood
learning
program?
I
do
want
to
make
sure
that
we
include
in
this
document
like
a
very
explicit
warning
to,
and
I
don't
know
how
to
communicate
this,
like
maybe
like
a
a
banner
warning
whatever.
But
but
you
know,
as
have
as
I
have
experienced
a
lot,
especially
with
bug
binding
programs
run
by
hacker.
G
One
of
bug
crowd
is
that
the
default
template
people
end
up
rolling
with
includes
at
an
nda,
and
so,
like
you
know,
an
explicit
warning
of
hey
if
you're
encountering
a
vulnerability
disclosure
program
or
a
bug
money
program
before
you
disclose
make
sure
that
you're,
not
unintentionally,
agreeing
to
a
non-disclosure
agreement
about
the
vulnerability
you're
disposing
when
you're
dealing
with
vulnerabilities
and
open
source
and
like
making
that,
like
an
explicit,
apparent
like
hear
there
be
dragons
like
be
careful
before
you
play
this
game
sort
of
thing
or
like
re,
read
carefully
when
you're
going
through
the
before
you
submit
your
vulnerability.
A
You
need
to
remember
that
our
primary
stakeholder
in
this
is
trying
to
support
and
improve
the
open
source
ecosystem
and
maintainers.
So
we
need
to
be
very
careful
about
how
we
word
things
and
try
to
remain
neutral
bug.
Bounty
programs
are
a
valid
option
and
some
projects
elect
to
do
that.
It
is
not
common
practice
right.
We
need
to
be
very
measured
in
how
we
state
that,
but
yeah
we
absolutely
could
put.
G
Right
yeah,
it's
not
about,
but
I
got
blockbuster
apartments-
are
wonderful
right.
It's
about
the
nda
that
it
gets
associated
like
the
nda
being
the
problem
around
like
enforcing
like
you
can't
just
you
disclose
a
vulnerability
to
this
program.
You
can't
you
it's
not
allowed
to
be
public
afterwards
right,
because
a
lot
of
stuff
in
open
source
requires
a
cd
before
as
a
part
of
the
disclosure
to
actually
get
it
to
the
end
users
to
to
get
them
fixed
right.
G
We're
running
this
into
this
issue
with
the
amazon
security
team
where
they're,
like
you
know,
hey,
like
we've,
never
handled
this
before,
like
we'd
love
to
support
you,
but
we've
not
you
know,
we've
not.
We
don't
normally
do
one
of
the
disclosure
and
our
our
program
for
handling
this
stuff
is
it
has
an
nda
and
I'm
like.
Can
you
give
me
a
wafer,
then
right,
like
you,
like
I'm
happy,
you
know.
I
love
a
bounty
out
of
this,
but,
like
you
gotta
give
me
a
waiver
on
your,
not
nda,
because
this
needs
to
get
disclosed.
K
I
think
we
discussed
this
in
in
prior
call
and
the
consensus
was
that
that's
not
a
prevalent
issue
in
kind
of
open
source
software.
I
know
you're
giving
this
amazon
example
and
I
think
you
gave
a
netflix
netflix
example
before,
but
I
think
with
the
audience
being
open
source
and.
G
I
mean
it's
the
it's
a
common
issue
when
you're
disclosing
a
security
vulnerability
to
a
corporate
entity
that
run
that
manages
an
open
source
project.
It
is,
it
is
common.
In
that
context,
it
is
not
common
to
open
source
in
general,
but
as
soon
as
you
are
dealing
with
a
corporate
entity
that
owns
an
open
source
project,
it
is
a
common
thing
to
encounter
in
that
context,.
G
Netflix
I've
run
into
this
issue
with
amazon
expedia
expedia
hotels.com
like
this
is
these
are
cases
that
I
concrete
examples
of
cases
that
I've
run
into
this,
where
you
report
a
vulnerability,
for
example,
expedia
they
had
a
security
at
email
address.
You
report
the
vulnerability
to
the
security
at
email
address.
They
send
you
an
email
back,
saying
great.
G
So
yes,
I
have
I.
I
have
first-hand
experience
with
this
exact
problem
and
it's
it's
it's
common
when
you're
dealing
with
these.
With
with
these,
it's
not,
I've
talked
to
alex
rice,
right
and,
and
I've
talked
to
what's
his
name,
who
runs
bug,
crowds,
he's
the
cto
bug
crowd
and
they
were
like
that's
not
the
way
it
should
work
and
I'm
like
I
agree,
that's
not
the
way
it
should
work
like
that's
not
the
way.
G
We
want
these
things
to
work,
but
it's
the
way
that
these
programs
have
ended
up
getting
set
up,
stood
up
by
the
legal
teams
that
have
worked
with
these.
These
security
teams
to
establish
them
and
you
have
to
challenge
them
you're,
just
like
no.
There
is
not
going
to
be
an
nda
in
this,
like
that's
an
explicit
step
that
has
to
go
into
this
and
it's
annoying
it.
G
It
really
annoys
me,
like
it's,
not
part
of
the
game
that
I
want
to
play,
but
it's
something
you
have
to
consider
because
it's
like
otherwise,
you
end
up,
like
you
know,
in
a
case
where
you're
like
well
you're
supposed
to
vulnerability
but
you're
allowed
to.
We
can't
we're
not
going
to
let
you
publicly
dispose
it.
It's
like.
That's,
that's,
that's,
you
know.
You're,
not
protecting
users
and
the
company
gets
to
to
hide
hide
their
dirty
laundry.
N
Yeah,
I
think
that
we
won't
solve
this
complex
challenge
on
this
call
today,
but
I
did
want
to
you
know
basically
voice
support
for
further
investigation
on
this,
because
I
do
think
it's
a
legitimate
concern.
There's
also
an
inherent
cultural
conflict.
Maybe
is
a
one
way
to
think
about
it
between
how
a
enterprise
would
view
this
versus
how
a
community
would
view
this
and
then.
N
Lastly,
as
it
relates
to
this
issue,
you
know
part
of
the
justification
for
an
nda
might
be
to
you
know,
hide
the
quote-unquote
dirty
laundry,
but
the
other
element
of
that
is
the
idea
of
ethical
disclosure,
and
that
you
don't
want
to
part
of
the
reason
for
an
mda
is
that
it's
very
important
for
a
especially
a
business
entity
to
get
the
timing
of
the
disclosure
correct
because
of
the
desire
to
minimize
the
potential
blast,
radius
and
I'll
step
back.
H
Just
kind
of
briefly
in
support
of
jonathan's
point:
I've
done
hundreds
of
disclosures
in
the
last
few
years
and
there's
definitely
an
uptick
in
people
being
routed
through
bug,
bounty
platforms,
even
when
they're
not
engaging
in
bug
bounty.
In
fact,
like
the
disclosures
that
we're
typically
doing,
are
explicitly
not
wanting
a
bounty
because
usually
there's
a
client
client
conflict
for
us
anyway,
and
even
then
there
are
certain
teams
and
there's
been
a
large
number
of
them.
H
A
Thank
you
and
again,
I'm
not
backing
the
idea,
I'm
just
stating
we
need
to
be
as
neutral
and
fact-based
and.
A
G
G
That
is
ethically
in
the
in
the
wrong
for
having
released
a
piece
of
software
without
adequately
testing
it
right.
So
there's
this
whole
like
ethics
component
about
like
and
and
it
all
has
to
do
with
perspective,
and
so
the
the
way
that
the
industry
has
moved
has
been.
Let's
move
towards
coordinated
disclosure
where
a
researcher
and
the
organization
decide
about
how
the
vulnerability
closure
is
going
to
occur,
and
then
that's
how
it
flies.
G
I
personally
and
and
I
I
follow
google's
vulnerabilities
closure
policy,
so
that's
90
days
and
if
you
don't
have
a
fix
out
in
90
days,
it's
going
public,
no
matter
what
right
google
does
that
same
thing,
and
so
establishing
these
sets
of
norms
are
important
and
the
reason
behind
that
especially
for
google,
is
that
they
had
a
long
history
of
reporting
vulnerabilities
as
project
zero
and
having
nobody
actually
fix
them
in
a
timely
manner
until
they
instituted
a
90-day
disclosure
timeline.
G
As
soon
as
they
instituted
a
90-day
disclosure
timeline,
they
started
seeing
many
of
their
vulnerabilities
get
fixed
within
that
time
frame
right,
and
so
the
the
like
morality
and
ethics
are
subjective
and
it's
difficult.
It's
a.
N
And
thanks
for
that
additional
clarification,
because
I
I
do
agree,
nothing
precipitates
action
like
an
impending
event,.
O
Yeah,
I
think
ethics
goes
both
ways.
Not
all
people
who
report
vulnerabilities
are
altruistic.
I
experienced
firsthand
in
the
apache
foundation
of
my
project
that
we
a
a
comp,
a
person
who's
starting
a
new
company
withheld
vulnerabilities
until
we
produced
a
first
release
of
a
of
a
project
there.
So
we
have
you
know
we
need
to
bear
in
mind
that
you
know.
G
O
When
it
comes
to
drop
it,
but
I'm
saying
it's
like
they
should
be
disincentivized
by
saying
when
you
report
it,
you
I'm
saying
there
might
be
a
need
for
some
agreement,
you
don't
like
it,
because
people
hold
them
back.
I'm
saying
that
goes
both
ways.
So
people
are
holding
back
vulnerabilities
because
they're
going
to
profit
from
it.
A
A
Thoughts
and
put
them
into
the
document
that
we
can
kind
of
articulate
iterate
over
them
there.
This
is
a
good
conversation.
I
appreciate
everyone's
passion
on
the
topic
and
we
will
talk
to
everyone
in
two
weeks
and
you'll
see
two
emails
from
me
very
soon,
and
please
focus
your
energy
in
writing
the
con
your
ideas
down,
and
we
can
figure
out
the
best
way
that
this
group
can
get
that
out
and
share
it
with
the
world.
Thank
you.
Everybody
appreciate
your
time
have
a
great
day.